EPIC v. DHS - Defense Contractor Monitoring

Top News

Classified NSA Cybersecurity Directive Sought by EPIC Establishes NSA Cyberattack Authority:Presidential Policy Directive 20 orders the creation of potential targets for Offensive Cyber Effects Operations by the NSA. According to the classified document, the "Government shall identify potential targets of national importance where [cyberattacks] can offer a favorable balance of effectiveness and risk . . ." The Directive was signed last October and EPIC immediately filed a Freedom of Information request seeking public release of the policy as it implicates the privacy of domestic communications. The NSA refused to release the Directive. The White House released a summary of the Directive, but failed to disclose information about the NSA's proposed cyberattacks. PPD-20 was made available to the public in a post to the Guardian by Glenn Greenwald. For more information, see EPIC: Presidential Directives and Cybersecurity, EPIC: EPIC v. NSA - Cybersecurity Authority and EPIC: Cybersecurity Privacy Practical Implications.
(Jun. 8, 2013)

EPIC FOIA Request Reveals Details About Government Cybersecurity Program: New documents obtained by EPIC in a Freedom of Information Act lawsuit reveal that the Department of Defense advised private industry on how to best circumvent federal wiretap law. The documents concern a collaboration between the Defense Department, the Department of Homeland Security, and private companies to allow government monitoring of private Internet networks. Though the program initially only applied to defense contractors, an Executive Order issued by the Obama administration earlier this year expanded it to include other "critical infrastructure" industries. The documents obtained by EPIC also cited NSPD 54 as one source of authority for the program. NSPD 54 is a presidential directive issued under President Bush that EPIC is pursuing in separate FOIA litigation. For more information, see EPIC: EPIC v. DHS (Defense Contractor Monitoring), and EPIC: EPIC v. NSA - Cybersecurity Authority.
(Apr. 24, 2013)

Background

On June 16, 2011, the Washington Post reported that the NSA had implemented a new program designed to monitor all traffic flowing through certain ISPs to a select number of defense contractors. The goal of this pilot program is the "thwarting [of] cyberattacks against defense firms," although Deputy Secretary of Defense William J. Lynn III stated that "[w]e hope the . . . cyber pilot can be the beginning something bigger." The NSA pilot program is to serve as a model that can be "transported to other critical infrastructure sectors, under the leadership of the Department of Homeland Security."

Although no public name has been given to this new program, it is known that the NSA has partnered with AT&T, Verizon and CenturyLink to filter the traffic of fifteen defense contractors, including Lockheed Martin, CSC, SAIC and Northrop Grumman. The NSA claims that it will not be "direct[ly] monitoring the contractors' networks." Instead, it has developed "signatures" of malicious code as well as sequences of suspicious network behavior that it will apply to filter all Internet traffic on those ISPs that flows to these defense contractors. By applying these signatures and filtering suspicious behavior, the NSA will be able to "disable the threats before an attack can penetrate a contractor's servers."

Individuals within the Department of Justice expressed misgivings that the program would "run afoul of privacy laws forbidding government surveillance of private Internet traffic." The Electronic Communications Privacy Act ("ECPA"), 18 U.S.C. § 2510, prohibits the interception of electronic communications without a court order or consent from one of the parties. The NSA has alleged that the Agency "will not directly filter the traffic or receive the malicious code captured by Internet providers." It is unclear how the program can detect malicious code and prevent its execution without "captur[ing]" it in violation of federal law.

Deputy Secretary of Defense William J. Lynn III publicly spoke about the program and provided a rough outline of its scope. He stated that it is currently run by the NSA, and that DHS is a partner.

EPIC's Freedom of Information Act Request and Subsequent Lawsuit

All contracts and communications with Lockheed Martin, CSC, SAIC, Northop Grumman, or any other defense contractors regarding the new NSA pilot program;

All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program;

All analyses, legal memoranda, and related records regarding the new NSA pilot program;

Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program;

Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.

DHS referred EPIC's FOIA Request to the National Protection and Programs Directorate. The Directorate is charged with risk-reduction activities associated with the mission of DHS. The National Protection and Programs Directorate failed to provide any documents, and EPIC filed an Administrative Appeal in January 2012.

On March 1, 2012, EPIC filed a lawsuit against the DHS based on that Agency's non-responsiveness to EPIC's request and in order to compel the disclosure of documents relating to the monitoring program.